b'OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n           EVAI"UATION OF TilE\nU.S. INTERNATIONAL TRADE COMMISSION\'S\nFISCAL YEAR 2003 INFORMATION SECURITY\n         PROGRAM AND PRACTICES\n\n             Audit Report\n             0IG-AR-03-03\n\n\n\n\n                            September 22, 2003\n\x0c                                                               IG -A A-014\n\n\n\n\nUNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                         WASHI NGTON, D.C.     aoeae\n September 22, 2003\n\n MEM ORA ND UM\n\n TO:    THE COMMISSiON\n\n We hereby subm it Aud it Report No . O IG\xc2\xb7AR-0 3-03, Evaluation ofrhe Us.\n Inremational Trade Cmnmissio/J\'s n sca f r ear 2()()J fnf ormalw n Security\n Program and Practices. W e conducted an independent evaluatio n ofthe\n Commission\'s information security program and pI<I\\.1ices to det ermine if the\n CQIlUllission: ( 1) implem ented appropriate act ions to address\n recommend atio ns made in OIG-AR-D2-Q2 (September 13, 2 002); and (2) met\n Federallnfonnation Security M anagement Ad cri teria.\n\n Genera lly, the Commission made progress towards stren gt hening its\n information security program d urin g the 2003 fiscal year. The most\n commendable aewmplishm ents inc lude:\n\n        -/ Filling the position o f Chief lntbnnatlon Officer (CIO);\n\n        -/ Incorporating in the C IO\'s performance measures the successful\n           resolution o f open rc\xc2\xabImmendations in the OIG infonnation\n           technology audit reports;\n\n        -/ Assessing the costs and benefits of obtaining vendor su pport for\n           essenti al informa tion tec hno logy services ; and\n\n        -/ Provid ing technical training to the network adm in istrator, who will\n           oversee (>IJlSOurced network maintenance as well as o ther techn ical\n           staff.\n\nAtso, the Commission procu red a new network operating system (llew !TC-\nNET) that has the capability to strengthen access wlI!rols. We d id nol test\nthes e controls, however , because the Commission had 110 t oom ple1ed\ninst alli ng it and certi fying it for use.\n\x0c11M: Commission m usttake further ac lion in o rder to achie\\ e cu\'lSi \' lenc y with\nU.S. O ffice of Managemeol and 8 udgd (O MB) Circular No. A. 1J O,\nAppend ix III $ecu.rityof F~I AU\'O#III2/nJ Information Resourcn (Febnaary\n1996). We made 18 I"\\\'COmmcndalions 10 impro~\xc2\xb7e the Commission \'. IT\n-=unt,.. In addilioo lO the 16 recommendalions from 0lG-AR.{J2-4l 2\n(Scplembc:r 13, 2002). this report identifies 6 _ , unreported or paniai ly\nresolved weeknesses, The Commi!lSion ~ with our findinp and\n~""""""""\'-\n\nDue 10 !he scnsili ~ nalUrC o fl hc information contained in our n:port. ... e ha~\nlimiled dislribution of the rq><>rt.\n\n\n                                          ,/;,..;zL/c:d/4\'-.-\n                                                Kenneth F. Clarice\n                                                I"""""" General\n\x0c'